Tux Machines

Let’s Encrypt Turns Ten

Posted by Roy Schestowitz on Dec 11, 2025,

updated Dec 11, 2025

KDE Gear 25.12
Linux 6.18, Rust Inside Linux, and RISC-V CPU

Nick Heer ☛ Let’s Encrypt Turns Ten

↺ Let’s Encrypt Turns Ten
An ironic side effect of the popularity of Let’s Encrypt is that its Certificate Transparency Logs are a fruitful resource for bots and bad actors finding new domains to exploit. A 2023 paper by Stijn Pletinckx, et al. (PDF) describes how automated traffic began hitting test servers “just seconds after publishing the [certificate log] entry” compared to no attempts against domains without a certificate. This traffic typically looks like attempts to find unpatched vulnerabilities, like basic SQL injection strings and bugs in common WordPress plugins. This abuse of C.T. logs is not unique to Let’s Encrypt. But it is popular and free, and that makes its logs a target-rich environment. Neither is this a reason to avoid using Let’s Encrypt. It just means one needs to be cautious about what is on their server from the moment they decide to install an HTTPS certificate.

Ayer ☛ Certificate Authorities Are Once Again Issuing Certificates That Don't Work

↺ Certificate Authorities Are Once Again Issuing Certificates That Don't Work
Twice a year, the Certificate Transparency ecosystem undergoes a transition as certificate authorities start to submit certificates to new semiannual log partitions. And recently, the ecosystem has started transitioning to the new static-ct-api specification. Unfortunately, despite efforts to make these transitions extremely easy for certificate authorities, in the past week I have detected 16 certificate authorities who have bungled these transitions, issuing certificates that are rejected by some or all mainstream web browsers with an error message like "This Connection Is Not Private" or ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.

Let's Encrypt ☛ 10 Years of Let's Encrypt Certificates

↺ 10 Years of Let's Encrypt Certificates
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of course, in retrospect this was just the first of billions of certificates. Today, Let’s Encrypt is the largest certificate authority in the world in terms of certificates issued, the ACME protocol we helped create and standardize is integrated throughout the server ecosystem, and we’ve become a household name among system administrators. We’re closing in on protecting one billion web sites.

LWN:

10 Years of Let's Encrypt Certificates

↺ 10 Years of Let's Encrypt Certificates
Let's Encrypt has published a retrospective that covers the decade since it published its first publicly trusted certificate in September 2015:
↺ published
↺ published
gemini.tuxmachines.org